Multiple Arbitrary Information Disclosure and Edition

vendor:
ILIAS LMS
by:
J.M.R. (jmramos@emergya.com)
8,5
CVSS
HIGH
Multiple Arbitrary Information Disclosure and Edition
200
CWE
Product Name: ILIAS LMS
Affected Version From: 3.10.7/3.9.9
Affected Version To: 3.10.7/3.9.9
Patch Exists: YES
Related CWE: CVE-2013-4591, CVE-2013-4592
CPE: a:ilias_project:ilias:3.10.7
Metasploit: https://www.rapid7.com/db/vulnerabilities/suse-cve-2013-4591/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2013-4592/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2013
Multiple Arbitrary Information Disclosure and Edition

Multiple vulnerabilities in ILIAS LMS 3.10.7/3.9.9 allow remote attackers to obtain sensitive information and modify data via unspecified vectors.
Mitigation:

Upgrade to version 3.10.8 or 3.9.10
Source
Exploit-DB raw data:

***********************************************************************************************
***********************************************************************************************
**	       										     **
**  											     **
**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
**							                                     **
**    											     **
**                           ME VOY A LA PLAYA!...QUE CALOoOoOoR!...Lo0oL                    **
**					Ä„PROUD TO BE SPANISH!				     **
**											     **
***********************************************************************************************
***********************************************************************************************

----------------------------------------------------------------------------------------------
|       	       MULTIPLE ARBITRARY INFORMATION DISCLOSURE AND EDITION       	     |
|--------------------------------------------------------------------------------------------|
|                              |    ILIAS LMS <= 3.10.7/3.9.9      |                         |
|  CMS INFORMATION:	        -----------------------------------	                     |
|										             |
|-->WEB: http://www.ilias.de/				          	                     |
|-->DOWNLOAD: http://www.ilias.de/docu/goto.php?target=st_229_35&client_id=docu		     |
|-->DEMO: http://www.demo.ilias-support.com/  	     			                     |
|-->CATEGORY: LMS/Education								     |
|-->DESCRIPTION: ILIAS is a powerful web-based learning management system that allows you    |
|		to easily manage learning resources in an integrated system. 	     	     |
|-->RELEASED: 2009-06-22								     |
|											     |
|  CMS VULNERABILITY:                                    	                             |
|											     |
|-->TESTED ON: firefox 3								     |
|-->DORK: "powered by ILIAS"	         				                     |
|-->CATEGORY: ARBITRARY INFORMATION EDITION/DISCLOSURE		                             |
|-->AFFECT VERSION: 3.10.7/3.9.9        		 			             |
|-->Discovered Bug date: 2009-06-28							     |
|-->Reported Bug date: 2009-06-28							     |
|-->Fixed bug date: 2009-06-30								     |
|-->Info patch (3.10.8/3.9.10): http://www.ilias.de/docu/goto.php?target=st_229_35           |
| &client_id=docu                                                                            |
|-->Author: YEnH4ckEr									     |
|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
|-->WEB/BLOG: N/A									     |
|-->COMMENT: YEnH4ckEr <--<3--> Marijose.                                                    |
| I'm going to rest for some time...J. Enrique y Pedro...wtf!?...algo sobre ILIAS!! ^_^      |
----------------------------------------------------------------------------------------------



<<<<---------++++++++++++++ Condition: registered user +++++++++++++++++--------->>>>



I used my own account in my university...sorry for testing :P



#################################
/////////////////////////////////

ARBITRARY INFORMATION DISCLOSURE

/////////////////////////////////
#################################



-------------------
-------------------

"POST-ITS" ISSUE:

-------------------
-------------------



When a user, teacher, admin, alumn, post a new post-its,
he could read all post-its in database.

The vuln link would be:

http://[HOST]/[PATH]/ilias.php?col_side=right&block_type=pdnotes&rel_obj=0&note_id=1&note_type=1&cmd=showNote&cmdClass=ilpdnotesblockgui&cmdNode=50&baseClass=ilPersonalDesktopGUI


Changing note_id=1 for other value, for ex. 100, we could
read this posts-it.

That seems a low risk vuln but, when i tested on-line, ie,
against my university and i've got a lot of sensitive information.



-------------------
-------------------

"CMD" ISSUE:

-------------------
-------------------



Course/group/... calendars:

This would be a normal link:


http://[HOST]/[PATH]/repository.php?cmd=frameset&ref_id=50438


But if I change cmd=frameset for cmd=edit:


http://[HOST]/[PATH]/repository.php?ref_id=50438&cmd=edit


I access to information about this group/course/..., and I tried to
change it, but i got permission denied...anyway, i
can get how it's configured this group/course/...



-------------------
-------------------

"CALENDAR" ISSUE:

-------------------
-------------------



http://[HOST]/[PATH]/ilias.php?seed=2009-06-28&category_id=847&calendar_mode=2&cmd=edit&cmdClass=ilcalendarcategorygui&cmdNode=6&baseClass=ilPersonalDesktopGUI


Changing category_id, it shows sensitive information about
any course/group/...

Personal and global calendars are secure.



#########################################
/////////////////////////////////////////

ARBITRARY INFORMATION DISCLOSURE/EDITION

/////////////////////////////////////////
#########################################



This module (favorite) allows to get a repository of favorite links



-------------------
-------------------

"FAVORITE" ISSUE:

-------------------
-------------------


This would be the vuln link:


http://[HOST]/[PATH]/ilias.php?bmf_id=1&obj_id=926&cmd=editFormBookmark&cmdClass=ilbookmarkadministrationgui&cmdNode=2&baseClass=ilPersonalDesktopGUI


GET var 'obj_id' is the vuln var...changing for other value you can view and edit any favorite link.


User (victim) trusts in these links (He posts them)



############
////////////

VIDEOS DEMO

////////////
############



ARBITRARY INFORMATION DISCLOSURE AND EDITION ("FAVORITES") --> http://www.youtube.com/watch?v=i6D6UVR0358

ARBITRARY INFORMATION DISCLOSURE ("POST-ITS") --> http://www.youtube.com/watch?v=eSPp1dswe1E



####################
////////////////////

DISCLOSURE TIMELINE

////////////////////
####################




**2009-06-28**  ~~~~~> FIRST VULNS DISCOVERED

**2009-06-29**  ~~~~~> VULN REPORTED TO VENDOR

**2009-06-29**  ~~~~~> OTHER SECURITY ISSUE DISCOVERED

**2009-06-29**  ~~~~~> VULN REPORTED TO VENDOR WITH VIDEO AND REPORT

**2009-06-30**  ~~~~~> VENDOR RESPONSED

**2009-06-30**  ~~~~~> VENDOR CONFIRMED SECURITY ISSUES

**2009-06-30**  ~~~~~> VENDOR FIXED SECURITY ISSUES IN SVN FOR 3.9/3.10/Trunk (AND CONFIRMS 3.9 AFFECTED)

**2009-06-30**  ~~~~~> VENDOR CLARIFIED SECURITY ISSUES: "Confirm that all your exploits work in the latest published official release"

**2009-07-01**  ~~~~~> VENDOR CONFIRMED NEXT RELEASE WILL CONTAIN THE FIXES

**2009-07-01**  ~~~~~> I WILL WAIT NEXT RELEASE FOR FULL DISCLOSURE

**2009-07-08**  ~~~~~> ILIAS LAUNCHED NEW STABLE RELEASE (3.10.8 / 3.9.10)

**2009-07-11**  ~~~~~> I CONTACTED AGAIN TO SAY A DISCLOSURE DATE, STABLISHED FOR 2009-07-15 (WAIT ONE WEEK AFTER NEW RELEASE...)

**2009-07-12**  ~~~~~> ILIAS AGREE WITH THIS DATE AND POSTED A LINK FOR CREDITS

**2009-07-15**  ~~~~~> FULL DISCLOSURE...PUBLISHED ADVISORY.




<<<-----------------------------EOF---------------------------------->>>ENJOY IT!




##############################################################################
##############################################################################
##**************************************************************************##
##         SPECIAL THANKS TO: MILW0RM FOREVER!!...STR0KE THE BEST!          ##
##**************************************************************************##
##--------------------------------------------------------------------------##
##**************************************************************************##
## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
##**************************************************************************##
##############################################################################
##############################################################################

# milw0rm.com [2009-07-15]